COVID-19 Cyberwar: How to Protect Your Business
Total Page:16
File Type:pdf, Size:1020Kb
Research Insights COVID-19 cyberwar: How to protect your business Attacks are escalating amid the pandemic— Our step-by-step security guide for action now How can IBM help If you are experiencing cybersecurity issues or an incident, contact X-Force IRIS to help: US hotline 1-888-241-9812 Global hotline (+001) 312-212-8034 Additional information can be found here: https://www.ibm.com/security/covid-19 By Wendi Whitmore and Gerald Parham Key takeaways Learning from extreme events COVID-19 and cybercrime In recent weeks, cybersecurity threats have escalated, as bad actors take advantage of the COVID-19 pandemic. While the world struggles with the impacts While organizations worry about newly pressing of COVID-19, cybercriminals see it as an concerns—workforce well-being, finance availability, opportunity. Since February, IBM X-Force and the resiliency of operations and supply chains— cybersecurity focus is being overshadowed and risks has observed a 4,300 percent increase are rising. in coronavirus-themed spam. Action: Run simulations that model the most likely The tendency toward ad hoc decision making during crises only accelerates the opportunity to exfiltrate data or threat to mitigate any vulnerabilities now. compromise business operations. The potential impacts are more dangerous, too. A distributed denial-of-service Improvising amid chaos (DDoS) attack, for instance, can be far more damaging Organizations that were insufficiently in an operational environment that is already strained for capacity than one launched when additional capacity is prepared in normal times have been readily available. caught completely off guard. In fact, 76 percent of organizations don’t have an In this report, we identify key steps security leaders can take now to manage discrete, high-impact events that incident response plan applied consistently may arise in this environment and to prepare for additional across the organization, according to a unforeseen scenarios. Every cybersecurity crisis has a three-part lifecycle: 2019 report.1 Action: Create or update a Cybersecurity Incident Response Plan – Planning and detection (CSIRP). – In-the-moment response and remediation – Recovery. Managing through disruption During times of crisis, business continuity The first step is for leaders to identify where they are in that lifecycle and prioritize their actions accordingly. planning becomes a major strategic asset. We have created recommended actions for each phase Even organizations that are unprepared can as a guide. In particular, the current pandemic environment take steps to mitigate the impacts and use demands increased attention to response and remediation. Drawing on lessons learned from incident response drills the experience for future crisis planning. in security operations centers (SOCs) and cyber ranges Action: Observe, orient, decide, and act in (virtual environments for testing security capabilities), rapid cycles. we have found that highly resilient organizations do three things well: organize and deploy resources, communicate regularly, and coordinate responses. 1 COVID-19’s impact on the 50+ cybersecurity landscape unique malware distributed During 2020, business has changed radically for nearly in various COVID-19-themed every organization around the globe. As the number of campaigns2 COVID-19 cases grows and the rate of transmission accelerates in some areas and abates in others, the operations landscape evolves daily–sometimes hourly. The magnitude of impact is unprecedented. 1 in 4 Opportunistic threat actors organizations don’t have Since February when the outbreak went global, an incident response plan3 IBM X-Force has observed a 4,300 percent increase in coronavirus-themed spam. Cybercriminals are using the coronavirus outbreak to drive their business, with virus-themed sales of malware assets on the dark web #1 and even virus-related discount codes.5 They are also The combined effect of an rapidly creating domains: COVID-19-related domains incident response (IR) team are 50 percent more likely to be malicious than other domains registered during the same time period.6 and IR plan testing produces greater cost savings than any Numerous phishing scams have emerged. For example, other security remediation IBM’s X-Force Exchange is tracking a spam email that takes advantage of small business owners hoping to process4 secure loans from the US Small Business Administration. Instead of providing help, an attachment installs a Remote Access Trojan (RAT). Another high-volume spam campaign threatens to infect recipients and their families with COVID-19 if they do not pay a ransom in bitcoin.7 A number of other scams imply association with legitimate health organizations. One email phishing attack purports being from the World Health Organization (WHO) director- general. Attached to the email are documents that install an Agent Tesla malware variant that acts as a keylogger and info-stealer.8 A similar attack uses the US Centers for Disease Control and Prevention (CDC) as a lure.9 The IBM X-Force COVID-19 security bulletins, which consolidate a collection of threat actors and COVID-19 exploits, identify hundreds of examples.10 Reports suggest nation-state actors could be using the pandemic to make forays into US public health agencies, notably the US Department of Health and Human Services.11 As Ben Sasse, a member of the US Senate Intelligence Committee, observed, “Here’s the reality of 21st century conflict: cyberattacks are massive weapons to kick opponents when they’re down.”12 2 Insight: Cybercrime damages The new risks of remote work The rapid shift to remote work has also opened new public confidence loopholes for cybercriminals to exploit. According to Cybercrime is built on threat actors’ abilities to The New York Times, as of the first week of April 2020, exploit fear, anxiety, and uncertainty, sentiments 316 million people in the US were being urged to stay 15 magnified during a pandemic. Compounding personal home. The global figures are orders of magnitude higher. concerns, livelihoods of individuals and businesses India’s shelter-in-place guidelines, for example, extend 16 are disrupted in unpredictable ways. As a World restrictions to 1.3 billion people. Economic Forum bulletin noted, society’s increased Many of those staying home are also working from home. reliance on digital infrastructure raises the cost of Yet, many displaced workers lack the secure equipment failure.13 This public health pandemic imposes both or protocols that enable digital safety. With newly remote social and economic costs, affecting individuals in employees accessing corporate networks via personal unique and profound ways. High-value assets (HVAs) devices, hackers are probing Wi-Fi configurations and VPN are particularly vulnerable to attack. Defined by the connections for security vulnerabilities. And as people US Cybersecurity and Infrastructure Security Agency congregate on cloud-based productivity platforms—both (CISA) as “information or systems so critical that for work and personal reasons—malicious actors are their loss or corruption would seriously affect an launching schemes to exploit the situation, including organization’s ability to perform its mission or hacking into and disrupting live meetings.17 conduct business,” HVAs are especially enticing for cybercriminals looking to damage public confidence Employees aren’t the only ones who are unprepared—so in an organization.14 are organizations. In a recent online poll by Threatpost, 70 percent of respondents said enabling remote working is fairly new for their organizations. And 40 percent reported seeing increased cyberattacks as they enable remote working.18 As US Senator Mark Warner wrote in an email, “As the federal government prepares for what is likely to be an unprecedented experiment in telework, it’s also expanding opportunities for malicious actors to attack and potentially disrupt vital government services.”19 The potential for continued disruption during this pandemic is high and requires crisis response leaders to maintain constant vigilance and organizational agility. 3 Highly resilient organizations marshal resources, communicate efficiently, and coordinate responses. The importance of making quick decisions The OODA loop encourages iteration (see Figure 1). If you can go through it faster than whatever you’re remediating, During a crisis, executives and members of security you gain an advantage. By accelerating response, you can teams need to filter available information to quickly harmonize efforts with the broader team. No decision has make optimal decisions. Borrowing principles originally to be final. Making small mistakes is often better than developed by military strategists, organizations benefit taking no action at all. from incorporating tactical operations techniques such as “observe, orient, decide, and act,” also known as the OODA loop.20 Figure 1 Observe, Orient, Decide, Act (OODA) Loop Unfolding circumstances Outside Observe Orient Decide Act information Unfolding interaction with Observations History, culture, analysis and Decision Action environment synthesis, previous experiences, (hypothesis) (test) and new information Feedback Source: “OODA loop.” Wikipedia, accessed April 1, 2020. https://en.wikipedia.org/wiki/OODA_loop 4 Creating an incident Insight: Anatomy of a CSIRP response plan A Cybersecurity Incident Response Plan (CSIRP) typically includes the following information: Most organizations are ill-equipped to handle a major cybersecurity